Revolving Windows 11 management by removing pre-installed apps with dynamic PFN

Microsoft has expanded the ability of administrators to clean and control pre-installed apps on Windows 11 with an improved policy version RemoveDefaultMicrosoftStorePackages, which now supports a dynamic list based on the Package Family Name (PFN). This update allows you to refer any MSIX / APPX package to your PFN and to order its uninstallation from GPO policies or through a custom OMA-URI in MDM environments, making it a centralized policy that was done in a more manual and fragmented way.

For the new functionality to be available in production, the equipment must have at least deployed the April 2026 non-critical Windows update; the Insider program users were able to test it from the March 2026 compilations on the Dev and Beta channels. Microsoft has also extended the compatibility of this policy to the Enterprise and Education editions of Windows 11 version 24H2, so organizations that do not plan to migrate to 25H2 can benefit without updating the entire operating system. More technical details and official guide are in Microsoft's policy documentation RemoveDefaultMicrosoftStorePackages and in the ad on the Windows IT Pro Blog from Microsoft TechCommunity.

In practice, identifying the PFN of an app is simple with PowerShell; for example, run Get-AppxPackage * Notepad * ‐ 124; Select -Object PackageFamilyName returns the chain to be introduced into politics. In environments that use GPO this is configured from the Group Directive Editor under Computer Configuration → Administrative Templates → Windows Components → App Package Deployment, activating the option to remove pre-installed packages and hitting a PFN per line in the field of additional names. If managed with Intune, Microsoft has warned that the dynamic list option will arrive in the coming months and that it will have to be looked for as "Remote Default Microsoft Store packages" in the settings selector when available.

This capacity brings clear benefits: reduction of bloatware, less attack area in corporate teams and more alignment with compliance and privacy policies. However, it also carries operational risks that should be considered before applying a mass disinstallation. Some apparently harmless apps can be dependencies of other corporate processes or integrations; removing them without evidence can affect workflows, support and user experience. In addition, redeployment and updates of removed packages should be planned in case needs change.

My practical recommendations for IT equipment are to start with a controlled validation: identify PFN, test disposal in a pilot group, document dependencies and prepare reversion procedures. Include policies in your runbooks and make sure that table support teams know which apps have been deleted and why. Monitor deployment errors and compatibility telemetry after policy implementation, and use internal communication channels to manage expectations between end-users.

Do not forget that there are other related policies that expand control over recent Windows components, for example the option to remove Copilot on business devices through the RemoveMicrosoftCopilotApp policy, available after the April 2026 cumulative patches; the official documentation of that configuration can be found in the Windows AI CSP reference. RemoveMicrosoftCopilotApp. Assessing these pieces as a whole facilitates a coherent and aligned hardening programme with the organization's security and governance strategy.

From a security perspective, implementing these policies is part of a broader area reduction strategy: removing unnecessary applications makes it more difficult for an attacker to find exploitable local vectors, but it does not replace critical controls such as vulnerability mitigation, regular patches and behaviour-based protection. It is also important to review the licenses and support agreements; when removing pre-installed apps, make sure that no technical support or agreements with third parties are being invalidated.

Finally, plan politics as an iterative process. Keep an updated inventory of PFN in your tenant, automate the capture of PFN for new images and updates and wait for full integration into Intune to simplify large-scale management. If you need step-by-step instructions or specific scenarios (for example, how to exclude apps needed for accessibility or support), see the technical guide and examples in Microsoft documentation and test in laboratories before moving to production.

The ability to selectively uninstall pre-installed apps provides control and efficiency, but its effective implementation requires testing, communication and coordination with security and support. With a well-designed and governed policy, organizations can reduce noise and risks without sacrificing critical functionality.